It depends.

As discussed in Q 223, the CPRA ostensibly expanded the three substantive contractual restrictions identified in the CCPA by referring to nine additional provisions that should be included within a service provider agreement by January 1, 2023. Many of the new requirements, however, may be redundant of, or subsumed within, contractual provisions that were put in place to satisfy the CCPA.

In the context of use restrictions, the CCPA required that companies prohibit service providers from “using . . . the personal information” that they received “for any purpose” other than a purpose specified in the parties agreement.”[1] The CPRA includes the same prohibition, but also states that an agreement with a service provider should (1) specify that personal information is being provided only for a “limited and specified purpose,” [2] (2) permit the business to take reasonable steps to stop or remediate unauthorized use of personal information, [3] (3) grant the business the right to take “reasonable and appropriate steps” to ensure that a service provider’s use is consistent with the agreement, [4] and (4) prohibit a service provider from combining the business’s personal information with personal information that it receives from other clients. [5]

Many of the new use-related requirements of the CPRA may already exist within a service provider agreement or a data processing addendum. For example, to the extent that the parties’ agreements already identify the use to which data will be put, provide the parties with remedies in the event of contractual breach, and prohibit the service provider from combining data from multiple sources, the agreement may already comply with the requirements of the CPRA.